Four phone hackers in the Philippines have been arrested for turning corporate …

A quartet of hackers based in the Philippines have allegedly bilked AT&T and possibly other telecommunications companies out of millions, which they channeled to their own bank accounts and to accounts associated with a terrorist organization. And apparently, AT&T helped them collect the money.

On November 24, the Philippine National Police's Criminal Investigation and Detection Group and the FBI staged raids in Manila, arresting Macnell Gracilla, Francisco Manalac, Regina Balura, and Paul Michael Kwan. The CIDG said in a statement that the hackers had been financed by Jemaah Islamiyah, a terrorist group that the FBI has said funded the November 2008 attacks in Mumbai. While few details have been offered up by AT&T or law enforcement, at least one of the the four has been involved in previous "phreaking," or phone hacking, of telecom customers' private branch exchanges (PBXs) in the past—and in fact was indicted in the US in 2009 for a similar crime. The arrests are part of an FBI effort to crack down on PBX hacking that dates back to 1999.

Kwan's success both times in turning corporate phone systems into virtual ATM machines for himself and a Pakistani partner were largely because of the horrific state of phone system security at many large organizations. In the 2009 case, Kwan and his cohorts didn't need to try very hard to break into PBX switches, because they still had the default password on them—and it's likely the same was true in this new case.

PBX hacking 101

The first step in turning someone else's phone lines into cash is to collect information about different PBX systems—getting hands on physical or digital copies of their manuals, and learning their dial-pad commands for remote access and default passwords. Kwan and the phreakers he worked with from 2005 to 2008 were able to use default passwords to gain access to many of the PBX systems they exploited.

The next step is to find a vulnerable PBX system. Phreakers can identify target systems either by searching phone directories—either on the Internet, or, as Kwan and company did in their first venture, in printed form—for phone numbers of organizations that use a PBX, or by using a "war dialer" program on a computer that walks through sequences of phone numbers. The phreakers walk through numbers until they find one that gives them a way to access a PBX's commands through a voicemail menu—usually the Direct Inward System Access (DISA) number for the PBX, which allows employees to dial into the system, and then place outbound calls as if they are calling from the phone system itself.

Working from the Philippines during the day, the phreakers would be able to dial through masses of numbers of US businesses after hours, allowing them to attempt to gain access to phone systems through unused extensions on the system, or other extensions with default passwords in place. Using a "brute force" approach—systematically working through phone extensions and pass codes with the aid of dialing software—the phreakers would gain access to extensions, and change their passwords, and then use exploit the extension to make outbound calls using the DISA number.

If the phreakers discover a DISA number, they can brute-force through possible passwords, gaining access to the PBX to place calls to any number they choose. Alternatively, if they manage to take control of an internal extension, they can use the "loop-back" method: placing a call into the extension, and then using the extension to dial out to another number. In both cases, the phreaker has to pay for the cost of the call inbound to the PBX, unless they have exploited a toll-free DISA number or have voice over IP capabilities that allow inbound connections over the Internet.

Turning a profit

While many phreakers may exploit a PBX for the thrill of it and possibly place a call or two, Kwan and his fellow phreakers are alleged to have conducted phone fraud of this sort on an epic level, turning exploited PBXs belonging to AT&T and Sprint customers in the US into their very own long-distance service. From 2005 to 2008, Kwan and a group of other phreakers in the Philippines sold access to compromised PBXs to Muhammed Zamir, a Pakistani and a member of Jemaah Islamiyah, then living in Italy. Zamir and his wife and operated "calling centers" in Brescia and Mascerata, Italy—storefront operations that offered low-cost international calls. Zamir charged customers by the minute for their calls, connecting calls for them through PBX systems connected to AT&T and Sprint long-distance service.

Kwan and his cohorts in the Philippines provided a stream of PBX systems to exploit. Zamir would also sell the extension and passcode information to other calling center operators in Italy and Spain. Altogether, the call centers placed about $55 million worth of phone calls over a three-year period. Kwan and his partners were paid a whopping $1,270 for their work by Western Union money transfers before the FBI and Italian authorities caught up with the operation in 2009, and Zamir and five other Pakistanis were arrested. in 2009, Kwan was indicted in New Jersey on charges of conspiracy.

But that wasn't the end of the game. In 2009, Jemaah Islamiyah came under new management—taken over by an unidentified Saudi national—and went back to Kwan and other Filipino phreakers to carry out a new fund-raising scheme. Instead of operating calling centers and providing a salable service stolen from AT&T and others, the scam shifted to make telcos into unwitting accomplices.

The phreakers used their access to PBX systems to place outbound calls not to customer's overseas relatives, but instead to high-rate international "premium-rate" services—the equivalent of 900 numbers in the US, where customers are assessed a per-minute fee on their phone bill for services ranging from specialized long distance service to "hot singles party chat." Using the trunk lines of exploited PBXs, the ring directed hundreds of calls to these services. At least some of the revenue generated from the calls—a reported $2 million through AT&T alone—was transferred to bank accounts associated with Jamaah Islamiyah, and a percentage was transferred back to the phreakers as payment.

AT&T has absorbed its losses, refunding customers for the fraudulent charges. That's unusual in a PBX-hacking case, Lieberman Software CEO Phil Lieberman said in an interview with Ars Technica—usually the customers get stuck with the bill for their poor PBX security, and the telecommunications providers rarely warn them of strange billing patterns. (Lieberman Software provides security software to a number of companies in the telecommunications business.) "The way these hacks are usually discovered is when you get your bill," Lieberman told us. But he said that if some of the charges were accrued using 900-like services and AT&T delivered payment of them, that was most likely the reason they absorbed the loss.

Unfortunately for Kwan and his co-conspirators, in the end, it was the bank transactions to the phreakers from the Jamaah Islamiyah-linked accounts that allowed the FBI to trace their location to Manila. The four captured in the raid are facing charges in the Philippines; there's no word on whether the US will seek the extradition of Kwan on the outstanding conspiracy indictment.

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat

So the moral of this story is to get a good money launderer before perpetrating international fraud?

You must be a follower of the Tao of Garak.

Garak: "Why is it no-one ever believes me, even when I'm telling the truth?"

Julian: "Have you ever heard the story of the boy who cried wolf?"

Garak: "No!"

Julian: "It's a children's story. A young Shepard gets lonely while tending his flock. He cries 'Wolf!' and the townspeople come rushing to his aid. When they discover there is no wolf, he claims he scared the wolf off, and they congratulate him for his bravery."

Garak: "What a clever boy!"

Julian: "There's more. The boy did the same thing the next day, and the day after, and the day after. And on the next day, when a wolf really did come, the townspeople didn't come. They'd gotten tired of his lying. The wolf ate all the sheep and the little boy."

Garak: "Isn't that a bit gruesome for a children's story?"

Julian: "The moral is that if you lie all the time, people won't believe you even if you're telling the truth."

Howdo the companies not notice this. I am an It guy who is also in charge of our phone system. I would notice right away that all our lines are busy, or i would get a call from somebody that all of a sudden they could not get into their voice mail.

Phone systems are a racket in and of themselves. Ancient, proprietary, inflexible, expensive garbage, the whole pile of it. I'd say the blame here lies squarely with overpriced vendors, who swoop in and set it all up, throw a binder at the local sys admin, and disappear, only to show up again at lawyer rates.

As a result, they're poorly updated, often left vulnerable, and few people really understand how it all works, except the vendors who, again, care more about billable hours than much else.

I'm willing to bet that this sort of things goes on all the time in all kinds of forms, theft of services and outright espionage among them. Only these guys were greedy enough to get noticed and caught.

Howdo the companies not notice this. I am an It guy who is also in charge of our phone system. I would notice right away that all our lines are busy, or i would get a call from somebody that all of a sudden they could not get into their voice mail.

How do other companies not notice this?

The article mentioned that it was happening largely after hours. It makes sense, given the time differential between the US and Saudi Arabia. Does that answer your question?

Also, are you -sure- you would know right away if your phone system was doing things you didn't know about?

"Phreaking" is a really bad name for phone hacking; there's already a hacking technique called Van Eck Phreaking, which allows the remote viewing of a CRT or LCD screen if specialized hardware can be placed within a few feet of the target.

"Phreaking" is a really bad name for phone hacking; there's already a hacking technique called Van Eck Phreaking, which allows the remote viewing of a CRT or LCD screen if specialized hardware can be placed within a few feet of the target.

"Phreaking" is a really bad name for phone hacking; there's already a hacking technique called Van Eck Phreaking, which allows the remote viewing of a CRT or LCD screen if specialized hardware can be placed within a few feet of the target.

Telephone phreaking predates Van Eck phreaking by over a decade.

No kidding. People were phone phreaking in the 1950s, Van Eck was 30 years later, and the "phreaking" from the name was a direct reference to phone phreaking. Gotta learn your history!

Howdo the companies not notice this. I am an It guy who is also in charge of our phone system. I would notice right away that all our lines are busy, or i would get a call from somebody that all of a sudden they could not get into their voice mail.

How do other companies not notice this?

The article mentioned that it was happening largely after hours. It makes sense, given the time differential between the US and Saudi Arabia. Does that answer your question?

Also, are you -sure- you would know right away if your phone system was doing things you didn't know about?

Kinda with deet on this one. Having once ran our offices PBX (now on VOIP, phew) I know I really wouldn't have noticed. Durning normal working hours, if one had root access to the system, you can watch your PRI status and place just enough calls to not saturate the lines and lead to user complaints. Off hours, as the article says, it's game on.

I know personally I didn't pour over call records for I just maintained and programmed the systems. If something was screwy I'd look around trying to find a dead PRI, a typo somewhere, or a dying card but wouldn't need to go much further. The money side (bills) for usage would go to accounting and I'd never see any changes in usage, nor would I care. Accounting just pays the bill.

Even worse than making free phone calls is the use of exploited phone system to run telephone scams. The phreakers sell the exploited numbers to people running phone scams such as "Send us the tax money and we will send you your prize money." It could also be called "Take the money and run." Any attempt to trace the phone number involved will lead back to the exploited PBX. Lacking cooperation from the PBX owner the investigation is unlikely to go any further.

Altogether, the call centers placed about $55 million worth of phone calls over a three-year period. Kwan and his partners were paid a whopping $1,270 for their work by Western Union money transfers...

Am I reading this right?

They made $55M worth of calls ... but netted only $1200 in payment from their customers?

Is that... is that right? That seems like a shit deal to me if I was going to spend my time breaking the law hacking international phone systems.

Kinda with deet on this one. Having once ran our offices PBX (now on VOIP, phew) I know I really wouldn't have noticed. Durning normal working hours, if one had root access to the system, you can watch your PRI status and place just enough calls to not saturate the lines and lead to user complaints. Off hours, as the article says, it's game on.

I know personally I didn't pour over call records for I just maintained and programmed the systems. If something was screwy I'd look around trying to find a dead PRI, a typo somewhere, or a dying card but wouldn't need to go much further. The money side (bills) for usage would go to accounting and I'd never see any changes in usage, nor would I care. Accounting just pays the bill.

This *did* happen at a past employer. One of our site's PBX was compromised and used to make roughly $80k in calls to Puerto Rico over 6 months before AT&T alerted us. We never noticed it because the charges sort of ramped up gradually rather than just suddenly hitting all at once. The first couple of months were well within our monthly fluctuation (we regularly had $50k in international calls a month across US operations.) If AT&T didn't notice it, our accounting people never would have. It would have taken a technical issue for it to come to light.

"Phreaking" is a really bad name for phone hacking; there's already a hacking technique called Van Eck Phreaking, which allows the remote viewing of a CRT or LCD screen if specialized hardware can be placed within a few feet of the target.

Telephone phreaking predates Van Eck phreaking by over a decade.

No kidding. People were phone phreaking in the 1950s, Van Eck was 30 years later, and the "phreaking" from the name was a direct reference to phone phreaking. Gotta learn your history!

To add to the appropriateness of the graphic, Captain Crunch was the nickname of one of the Golden Era Phone Phreakers

Howdo the companies not notice this. I am an It guy who is also in charge of our phone system. I would notice right away that all our lines are busy, or i would get a call from somebody that all of a sudden they could not get into their voice mail.

How do other companies not notice this?

The article mentioned that it was happening largely after hours. It makes sense, given the time differential between the US and Saudi Arabia. Does that answer your question?

Also, are you -sure- you would know right away if your phone system was doing things you didn't know about?

With our pbx system by default DISA comes disabled. ALSO with our brand pbx you cannot access the pbx programming through any outside lines. The only thing you would be able to do is access the voicemail system.

Now There are other brands of pbx that allow you to program your pbx by dialing in . MIne does not allow this.Our Phone system is only 3 years old though. I can see how older systems would allow this by default.

They made $55M worth of calls ... but netted only $1200 in payment from their customers?

Is that... is that right? That seems like a shit deal to me if I was going to spend my time breaking the law hacking international phone systems.

If I read it correctly, the $1200 was from the initial scam pre-2009, while the 55 million was from the new one.

I think the $55 million and $1200 figures are both from the initial scam.

The phreakers themselves were paid only $1200 for the numbers they provided in the first scam. The rest of the money was pocketed by the calling center operators, who simply paid for the access codes. There's no word on how much of a cut they got from the premium service scam.

Wardialers are a huge problem -- I run my own asterisk install at home, and I regularly get large numbers of bogus connection attempts. Since I don't keep too much credit on my outbound trunk accounts, it's unlikely that I'm going to lose too much if a break-in occurs -- but it still bugged me that my system was vulnerable.

Enter fail2ban. I now ban any IP address that attempts to log into my PBX system more than tree times. Logs are much cleaner now. If a break-in *does* occur, there are calling rules in place to make sure that expensive 900 numbers are out of bounds.

Modern software PBXs are miraculous things, but they require more than a small amount common sense to run safely.

To add to the appropriateness of the graphic, Captain Crunch was the nickname of one of the Golden Era Phone Phreakers

That was the in-joke, yes, I'm glad some people are catching that.

Was Cap'n Crunch an actual person? I thought it was just the technique, based on the whistle toys that used to come with the cereal. Although I guess that doesn't stop it from being a person, too...

Either way, I'm just glad I got to see the word 'phreaking' used. It's been a few years since I've heard that one.

Yeah, he was a person. He could whistle the same 2600Hz tone produced by the toys in the cereal boxes. (Also where the name 2600 came from)

Actually, the phreaker Cap'n Crunch (his real name: John Draper) got his nickname because he discovered that a whistle that came in boxes of Cap'n Crunch cereal made a 2600 Hz tone. Another phreaker, Joe Engressia (known as Joybubbles), was the one who discovered (reportedly at age 7) that he could whistle at 2600 Hz.

Yup, was and still is, I actually linked his Wiki page earlier in this thread. When I was growing up in San Francisco I'd go to the 2600 meetups at the Embarcadero, no idea if anyone does that anymore, was probably a couple decades ago.

Edit: From Wikipedia:

Quote:

One oft-repeated story featuring Captain Crunch goes as follows: Draper picked up a public phone, then proceeded to “phreak” his call around the world. At no charge, he routed a call through different phone switches in countries such as Japan, Russia and England. Once he had set the call to go through dozens of countries, he dialed the number of the public phone next to him. A few minutes later, the phone next to him rang. Draper spoke into the first phone, and, after quite a few seconds, he heard his own voice very faintly on the other phone.

Yup, was and still is, I actually linked his Wiki page earlier in this thread. When I was growing up in San Francisco I'd go to the 2600 meetups at the Embarcadero, no idea if anyone does that anymore, was probably a couple decades ago.

Edit: From Wikipedia:

Quote:

One oft-repeated story featuring Captain Crunch goes as follows: Draper picked up a public phone, then proceeded to “phreak” his call around the world. At no charge, he routed a call through different phone switches in countries such as Japan, Russia and England. Once he had set the call to go through dozens of countries, he dialed the number of the public phone next to him. A few minutes later, the phone next to him rang. Draper spoke into the first phone, and, after quite a few seconds, he heard his own voice very faintly on the other phone.

Heh, I remember hearing that story myself.

Funny about the mention of "faint". One would have guessed that international lines had some kind of signal amplification applied to them. Still, over such long stretches it would probably pick up a fair bit of line noise as well...

Remember kids, with a analog call there is actual wires going from end to end. Because of that the long time engineers at AT&T balked at the packet switching idea that powers the net we use right now. This because it broke their most sacred rule, never break the circuit during a call.

Btw, the actual wires bit was why long distance was (and to some extent still is) expensive. There where a limited number of wires in the bundle going between switches, and each call needed a pair of them. So to maximize the utility of them, there was a per minute charge on such calls. This to give callers a incentive to keep the call short, freeing up the wires for use with another call.

Phone systems are a racket in and of themselves. Ancient, proprietary, inflexible, expensive garbage, the whole pile of it. I'd say the blame here lies squarely with overpriced vendors, who swoop in and set it all up, throw a binder at the local sys admin, and disappear, only to show up again at lawyer rates.

As a result, they're poorly updated, often left vulnerable, and few people really understand how it all works, except the vendors who, again, care more about billable hours than much else.

I'm willing to bet that this sort of things goes on all the time in all kinds of forms, theft of services and outright espionage among them. Only these guys were greedy enough to get noticed and caught.

I don't know about all PBX systems, but I did once worked as a security software designer for a company that formerly made a PBX that was very common in North America and the UK. We went to great lengths to offer security defaults that would keep the system secure...

The problem is that large PBX manufactures virtually never sold equipment directly to customers. We had a distributor model, and the distributors were the customer's direct contact. It used to be said that we would figure out our costs, double them (so as to make a profit) to set the price for to the distributor, and that the distributor doubled that price again to set the price for the customer. Even at that, the initial cost of the hardware is virtually insignificant... you could get the hardware for free if you signed up for ongoing costs in the form of a maintenance agreement.

The reasons for such a situation are long and complicated... but know this: Technology is hard to understand for 99% of the populous that doesn't visit Ars... and the phone system is one of the earliest forms of technology that most people ever came in contact with. (As one example, there should be no need to remind you that Unix is an AT&T invention, for example.) Because the technology is complex, the people who really understand it are in high demand, and thus command a premium for their services (or salaries.) So you have a situation ripe for consultants to come in and milk customers pocketbooks...

To me... the problem seems to stem from a lack of accountability. (Companies need to track their PBX costs against a revenue generating activity for example.) All PBX systems produce call logs... and generally in a "standard format"... and there are plenty of tools available in the trade to get these logs and analyse them (think hotel long distance billing as a common example)... so there is no excuse for a customer not to demand decent call log info...

(As one example, there should be no need to remind you that Unix is an AT&T invention, for example.)

Given away for the cost of the media and postage, as AT&T was worried that they could not tie it directly to their Phone network business. And so getting license fees for it could attract regulatory ire...

Only with the advent of BSD on x86 did they get litigious, but at that point the cat was already out of the bag and running for the hills.

At the time both Bell Labs and Xerox PARC produced creations that had little to do with the core business of the corporation footing the bills.

This kind of attack is quite common. AT&T should be commended for noticing and acting on this as we have seen cases where phone companies and ISPs do not notice it. Had one person tell us about his company being hit for $400,000 in 2 days (http://www.youtube.com/watch?v=ro8WMr04iBA). Had another tell us how they had a customer reset the PBX password back to default and then connected it to the Internet. In under 11 min. it was found and hacked.

Most companies do not notice this kind of fraud until the bill comes (up to a month later) if at all. Large companies could have an extra $100,000 on the bill and not even notice it.

You need proactive protection and to monitor your system as no one can do it for you 100% of the time.EricEric (at) humbuglabs.org